CVE-2026-23968

Copier safe template has arbitrary filesystem read access via symlinks when _preserve_symlinks: false

Description

Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently include arbitrary files/directories outside the local template clone location by using symlinks along with `_preserve_symlinks: false` (which is Copier's default setting). Version 9.11.2 patches the issue.

INFO

Published Date :

2026-01-21T22:13:25.377Z

Last Modified :

2026-01-22T16:49:32.054Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-23968 vulnerability.

Vendors	Products
Copier-org	Copier

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23968.

URL	Resource
https://github.com/copier-org/copier/commit/b3a7b3772d17cf0e7a4481978188c9f536c8d8f6
https://github.com/copier-org/copier/security/advisories/GHSA-xjhm-gp88-8pfx

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact